Re: Rejecting weak passwords
| От | Tom Lane |
|---|---|
| Тема | Re: Rejecting weak passwords |
| Дата | |
| Msg-id | 5834.1255555073@sss.pgh.pa.us обсуждение |
| Ответ на | Re: Rejecting weak passwords ("Kevin Grittner" <Kevin.Grittner@wicourts.gov>) |
| Ответы |
Re: Rejecting weak passwords
Re: Rejecting weak passwords |
| Список | pgsql-hackers |
"Kevin Grittner" <Kevin.Grittner@wicourts.gov> writes:
> And, perhaps slightly off topic: if the login password is sent over a
> non-encrypted stream, md5sum or not, can't someone use it to log in if
> they're generating their own stream to connect?
Not if they only capture a login exchange --- the password is doubly
encrypted during that. If they see the md5'd password in a CREATE USER
command, then yeah, they could pass a subsequent md5 challenge, using
suitably modified client software that doesn't try to re-encrypt the
given password.
But the main point is to hide the cleartext password, in any case.
regards, tom lane
В списке pgsql-hackers по дате отправления: